AD-A103  751 

UNCLASSIFIED 


RENSSELAER  POLYTECHNIC  INST  TROY  NY  DEPT  OF  MATHEMAT— ETC  F/S  9/2 
A  LAMBDA-CALCULUS  MODEL  FOR  GENERATING  VERIFICATION  CONDITIONS. <U) 
JUN  81  S  K  ABDALI »,  F  WINKLER  N00014-75-C-1026 

RPI-CS-8104  NL 


Accession  Tor 

HTIS  GRA&I  Jta*' 

DTIC  TAB  'Cf 

Unannounced  □ 

Justification _ 

Distribution/ 
Availability  Codes 
Avail  and/or 
1st  i  Special 


/y 


(  h'tS- 


Technical  Report  jCS-_81j)4_... 
^  LAMBDA ^CALCULUS  JJODEL  FOR 


GENERATING  J^ERIFICATION  CONDITIONS, 

Qy~ S.  Kamal/Abdali  j 
Franz/Winkler  / 

y*'.  V--  -  •  -  ■  .  ..  ‘ u 

(7  /  Jun*  108ll 


tfr 


cJ-  ,'_y  ^lCj  /' 


Prepared  for 

U.S.  Office  of^Nfival  Rasaarcb 
Contract  Numbgij' N00Ol4-75-C-1026j 

(/£>)  •  “ 


Mathematical  Sciences  Department 
Rensselaer  Polytechnic  Institute 
Troy,  New  York  12181 


DTIC 

ELECTEI 


SEP  4 


ion  LVAixr'ia-ii'  /f  1  "  c~ 

Approved  for  public  relCQ3o;  I  ^  $  f  / 

Distribution  Unlimited  ®  ' 


Introduction 


1 


The  most  well-known  program  verification  technique  is  based 
upon  the  Floyd-Naur  idea  of  inductive  assertions  [4] :  A  programming 
language  command  inposes  certain  fixed  implications  between  the 
relations  holding  among  the  values  of  program  variables  just  before 
and  just  after  the  execution  of  that  command.  The  (partial)  cor¬ 
rectness  of  a  program  can  thus  be  proved  if  the  output  specification 
claimed  at  the  program  exit  are  derived  from  the  input  specifications 
assumed  at  the  entrance  by  following  the  chain  of  implications 
mentioned  above  for  all  entrance-to-exit  control  flow  paths  in 
the  program.  Usually,  this  requires  1)  the  invention  of  a  number 
of  assertions  associated  with  some  key  points  ("cutpoints")  in 
the  program  2)  the  generation  of  the  implications  mentioned  above 
("verification  conditions")  for  every  pair  of  adjacent  points 
chosen,  and  3)  the  demonstration  (possibly,  using  the  services 
of  a  theorem-prover)  that  each  of  these  implications  is  true. 

Of  these,  the  second  task  —  the  generation  of  verification  condi¬ 
tions  is  strictly  a  mechanical  process  requiring  substitution  and 
simple  arithmetical  evaluation.  The  lambda- calculus  has  built-in 
rules  to  carry  out  the  process  of  substitution  and  can  be  easily 
augmented  with  arithmetical  evaluation  rules.  Thus,  it  seems 
reasonable  to  seek  a  lambda-calculus-based  method  for  the  automatic 
generation  of  verification  conditions. 

In  this  paper  we  develop  such  a  method.  It  has  been  obtained 
by  extending  an  existing  [1]  lambda-calculus  model  of  programming 
languages  in  which  programs  are  translated  into  lambda-expressions 
such  that  the  (numerical)  execution  of  programs  is  modelled  by  the 
lambda-calculus  process  of  reduction.  In  the  new  model,  a  program 
is  effectively  translated  into  a  lambda-expression  whose  reduction 
yields  a  list  of  all  verification  conditions.  The  extension  from 
the  previous  to  the  new  model  is  non-trivial,  for  we  are  now 
interested  in  a  sense  in  the  symbolic,  rather  than  numerical, 
evaluation  of  programs. 

For  generating  verification  conditions,  one  must  have  a 
program  as  well  as  inductive  assertions  associated  with  certain 


properly  chosen  outpoints  in  the  program.  We  specify  a  programming 
language  in  which  inductive  assertions  are  incorporated  within 
the  program  body  by  means  of  special  assert  statements.  Equipped 
with  assignments/  conditionals,  compounds,  ALGOL-type  blocks, 
and  loops,  this  language  is  simple  yet  quite  powerful.  We  then 
present  a  set  of  translation  rules  mapping  the  statements  of 
the  specified  programming  language  into  lambda-expressions. 

Using  these  rules,  a  program  can  be  effectively  translated  into 
a  lambda-expression,  say  by  extending  the  compiler  of  [5]. 

Finally,  we  show  that  the  model  is  correct  in  the  sense  that 
the  translation  of  any  program  produced  by  our  rules  does  indeed 
give  all  verification  conditions. 
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Verification  Conditions 

Given  a  program,  in  the  flowchart  form,  say,  and  the  program 
input  and  output  conditions,  the  inductive  assertion  method  to 
prove  the  partial  correctness  of  the  program  proceeds  as  follows 
Cl4],  explanation  in  [7]).  First,  outpoints  are  chosen  on  the 
flowchart  edges  such  that  there  is  at  least  one  cutpoint  in  each 
loop*  Cutpoints  are  also  placed  on  the  start  and  halt  edges. 

Next,  to  each  cutpoint  is  associated  a  predicate  —  the  inductive 
assertion  —  which  is  intended  to  express  the  relation  holding 
among  the  values  of  the  program  variables  each  time  the  control 
passes  that  cutpoint.  The  desired  input  and  output  conditions  of 
the  program  serve  as  the  assertions  at  the  start  and  halt  cutpoints, 
respectively.  Next,  a  verification  condition  is  constructed  for 
each  basic  path  —  a  path  which  begins  and  ends  at  two  (not  neces¬ 
sarily  different)  cutpoints  but  does  not  pass  through  any  other 
cutpoint.  The  verification  condition  for  a  basic  path  a  from 
cutpoint  i  to  cutpoint  j  states  that  if  the  assertion  at  i  is  true 
and  the  control  traverses  a,  then  the  assertion  at  j  will  hold 
(with  the  new  values  of  variables  attained  at  j).  Finally,  each 
verification  is  proved  to  be  true.  By  induction  it  is  then  the 
case  that  the  assertion  at  each  cutpoint  is  true  whenever  control 
reaches  that  cutpoint  (assuming  that  the  input  condition  on  the 
start  edge  is  satisfied  at  the  initiation  of  program  execution) . 

In  particular,  the  assertion  at  the  halt  edge  is  true  whenever 
control  reaches  this  edge,  that  is,  whenever  the  program  halts. 

Thus  the  program  is  partially  correct  with  respect  to  the  given 
input  and  output  conditions. 

In  constructing  the  verification  condition  for  a  given  path, 

one  has  to  take  into  account  the  transformation  in  variable  values 

resulting  from  the  execution  of  the  statements  in  the  path.  For 

example,  let  a  path  consist  of  a  single  assignment  statement 

xs^x+l  and  let  the  assertions  at  the  beginning  and  the  end  of  the 
2  2 

path  be  x  +2x+3>0  and  x  +2>0,  respectively.  The  verification  con- 

2 

dition  should  be  equivalent  to  the  statement:  If  x  +2x+3  is  true 

for  some  value  of  x,  and  the  assignment  x:-x+l  is  executed,  then 
2 

x  +2>0  is  true  for  the  new  value  of  x.  Clearly  this  is  not 
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equivalent  to 

x2+2x+3>0  x2+2>0 / 

2  2 

for  the  predicates  x  +2x+3>0  and  x  +2>0  hold  for  different  values 

of  x,  namely  those  respectively  before  and  after  the  execution 

of  x:=x+l.  We  can  "normalize"  the  predicates  so  as  to  make  them 

refer  to  the  same  values  of  x,  either  before  or  after  the  execution 

of  the  assignment  statement.  In  terms  of  the  values  existing  before 

2  2 

the  execution,  the  predicates  are  x  +2x+3>0  and  (x+1)  +2>0;  in  terms 

2 

of  the  values  after  the  execution,  they  are  (x-1)  +2(x-l)+3>0  and 
2 

x  +2>0.  The  verification  condition  can  then  be  written  in  the 
equivalent  forms 

x2+2x+3>0  O  (x+1) 2+2>0 
or,  (x-1)2+2 (x-l)+3>0  ZD  x2+2>0. 

In  general,  suppose  the  assertions  at  the  beginning  and  the 
end  of  a  path  a  are  P  and  Q,  respectively.  Then  the  verification 
condition  for  the  path  is  a  predicate  P'iRoQ',  where  R  represents 
the  condition  under  which  a  is  traversed  (R=true,  if  a  does  not  contain 
any  conditional  statement),  and  P",  Q'  are  obtained  from  P,  Q, 
respectively,  by  making  appropriate  substitutions  to  reflect  the 
changes  in  variable  values  effected  by  the  execution  of  statements 
in  a.  The  substitutions  should  be  done  so  as  to  make  P'  and  Q' 
refer  to  the  same  values  of  variables.  (R  should  be  derived  to  also 
correspond  to  the  same  values  of  variables.)  In  the  special  case 
that  the  predicates  are  to  be  expressed  in  terms  of  the  variable 
values  at  the  beginning  of  the  path,  P'  is  just  P,  and  Q'  is  formed 
from  Q  by  "backward  substitution"  16] :  The  path  is  traced  backward 
and  for  every  assignment  statement  encountered,  the  assigned 
expression  is  substituted  for  the  assigned  variable;  the  cumulative 
effect  of  all  such  substitutions  is  to  transform  Q  into  Q' .  On 
the  other  hand,  if  the  predicates  are  to  be  expressed  in  terms 
of  the  variable  values  at  the  end  of  the  path,  then  Q'  is  just  Q, 
and  P'  is  obtained  from  P  by  an  analogous  process  of  "forward 
substitution. " 

Since  the  lambda- calc  ulus  ([3,9])  contains  built-in  rules  to 
carry  out  the  process  of  substitution,  it  is  possible  to  use 
a  lambda-calculus-based  method  for  the  automatic  generation  of 
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verification  conditions.  The  method  to  be  described  in  this 
paper  has  been  obtained  by  modifying  and  extending  the  lambda** 
calculus  model  of  programming  languages  described  in  [1].  This 
model  is  comprised  of  rules  for  translating  programs  written 
in  a  large  subset  of  ALGOL  60  (or  a  similar  language)  into 
lambda-expressions  in  such  a  manner  that  if  the  result  of  ex¬ 
ecuting  a  program  P  with  inputs  i^,...,i  consists  of  outputs 
o^,...,on,  then  the  lambda-expression  ({P}{i^}. . . {im})  reduces 
to  the  tuple  or  list  <{o^} , . . . , {°n}>»  (Here,  {...}  denotes 
the  lambda-calculus  representation  of  the  enclosed  object. ) 

Based  upon  these  rules,  a  compiler  has  been  constructed  (15)) 
to  translate  PASCAL  programs  into  lambda-expressions.  The  goal 
of  the  model  to  be  presented  in  this  paper  is  to  provide  rules 
for  translating  any  program  suitably  annotated  with  assertions 
into  a  lambda-expression  whose  reduction  yields  a  list  of  the 
lambda-calculus  representations  of  the  verification  conditions. 
To  distinguish  the  two  models,  we  call  the  former  the  "execution 
model"  and  the  latter  the  "verification  model". 


Before  giving  any  translation  rules  for  the  verification  model, 
we  must  specify  the  language,  call  it  PL,  in  which  the  programs 
acceptable  by  the  model  can  be  written.  This  language  contains 
the  following  features: 

1.  Integer  and  boolean  data  types 

2.  The  usual  arithmetical,  boolean,  and  relational  operators 

3.  Assignment  statements  of  the  form  variable  :=  expression 

4.  Input  and  output  statements  of  the  form 

read  variable  list 
write  expression  list 

5.  Conditional  statements  of  the  form 

if  condition  then  statement 

if  condition  then  statement  else  statement 

6.  Compound  statements  and  blocks  as  in  ALGOL  60. 

Inductive  assertions  associated  at  chosen  outpoints  in  a  flowchart  are 
incorporated  directly  in  the  body  of  a  PL  program  by  means  of 
the  following  statements: 

7.  Assert  statement  of  the  form 

assert  assertion 

8.  Maintain-while  statement  of  the  form 

Maintain  assertion  while  condition  do  statement 

The  features  (1)  to  (6)  have  the  usual  ALGOL  60  semantics. 

The  effect  of  the  execution  of  sin  assert  statement  is  the  following: 
The  assertion  is  evaluated.  If  it  is  true,  then  control  passes 
to  the  next  statement;  if  false,  an  error  exception  occurs.  The 
effect  of  the  execution  of  a  maintain-while  statement  is  the 
following:  The  assertion  is  evaluated.  If  it  is  true,  then  the 
while-do  part  is  executed  according  to  the  usual  semantics;  if 
false,  an  error  exception  occurs. 

A  variable  occurring  in  any  statement  (3)  through  (8)  (as 
a  left-hand  part  or  an  operand  in  any  condition  or  expression) 
must  be  a  variable  in  whose  scope  the  statement  occurs,  that  is, 
must  be  a  variable  in  the  "environment"  of  the  statement  (see  [1]). 
However,  a  variable  occurring  in  an  assertion  in  any  statement 
(7)  or  (8)  may  be  a  variable  of  the  environment  of  the  statement 


or  it  may  be  one  of  the  special  variables  o,i^,...,im  where  m 
is  fixed  for  each  program.  Of  these  variables,  o  is  called  the 
output  variable,  and  ij  are  called  input  variables.  The  need 
for  these  variables  will  be  clear  later. 

PL,  the  source  language  for  our  verification  model,  is  much 
simpler  than  the  source  languages  used  in  the  execution  models 
of  [1,5],  yet  it  contains  more  features  than  in  [6,7],  say.  The 
verification  model  can  be  easily  extended  to  include  in  PL  such 
features  as  multiple  assignments  of  ALGOL  60,  collateral  (parallel) 
assignments  of  ALGOL  68,  for  and  repeat  statements  of  PASCAL, 
array  data  type,  and  functions  without  side-effects.  But  the 
incorporation  of  general  procedures  seems  difficult. 
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The  Verification  Model:  Preliminaries 

In  the  execution  model  [1,5]/  the  lambda-expression  repre¬ 
sentation  of  each  statement  (of  ALGOL  or  PASCAL,  say)  has  been 
derived  using  the  following  idea:  Each  statement  in  a  program 
may  be  thought  of  as  manipulating  1)  the  variables  accessible  at 
the  time  the  statement  is  executed  (these  constitute  the  statement's 
"environment") ,  and  2)  an  entity  identifying  the  point  in  the 
program  that  is  being  executed.  This  entity,  called  the  "continua¬ 
tion"  or  "program  remainder",  is  nothing  but  an  eventually  re¬ 
cursive  description  of  the  entire  portion  of  the  program  not 
executed  so  far.  The  statement  can  therefore  be  translated  as  an 
abstraction  with  respect  to  the  continuation  (denoted  by  the 
variable  <J>)  and  the  indeterminates  representing  the  program 
variables.  Referring  the  reader  to  [1,5]  for  the  actual  details 
of  representation,  we  give  below  some  examples  of  translation  in 
the  execution  model. 

Example.  Some  translations  in  the  execution  model 
Environment:  (x,y,x) 

Statement  Representation 

y:=x+3;  a=X<jixyz  :  <}>x  (+x3 )  z 


if  y=l 
then 

z  :=0 

else 

x:=z+l ; 


b=A<|>xyz :  (=yl)  cd<{>xyz,  where 
c=A<j>xyz  :<j»xyO 
d=Atj)xyz :  4>  (+zl)yz 


while  y>x  do 
x:=x+z; 


e5A<J>xyz :  (>yz)  (f<j>)<j>xyz 
fEA<J>xyz  :<j>  (+xz)yz 


write  x+3?  g=A<j>xyzo :  jixyzo;  (+x3) 

read  x,z;  gsA^xyzoi^ij  5  'J’ijY^0 

The  representation  of  variables,  constants,  operations, 
relations,  and  expressions  in  the  verification  model  is  the  same 
as  in  [1,5].  But  when  translating  statements,  we  need  some  other 
constituents  besides  the  continuation  and  the  environment.  These 
are : 

Variable  Stacks.  There  is  a  fundamental  difference  between  the 
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execution  of  a  conditional  statement  for  a  numerical  result  and 
the  symbolic  evaluation  for  generating  verification  conditions. 
Whenever  a  conditional  statement  is  reached  during  a  numerical 
execution,  some  condition  is  evaluated  and  according  to  the 
result  of  the  evaluation,  the  first  or  the  second  branch  of 
the  statement  is  taken.  In  the  verification  context,  however, 
we  actually  have  to  execute  both  branches  of  a  conditional 
statement,  and  moreover  it  is  essential  to  start  the  computation 
of  each  branch  with  the  same  values  of  the  various  program  var¬ 
iables.  We  solve  that  problem  by  keeping  a  stack  for  every 
variable.  Each  time  we  encounter  a  conditional  statement,  the 
current  values  of  the  program  variables  are  pushed  on  the  stack, 
and  when  we  pass  the  corresponding  ELSE  these  values  are  retrieved. 
Assertions.  Essentially  what  we  have  to  do  in  order  to  generate 
the  verification  conditions  for  a  program  is  to  traverse  every 
basic  path  of  the  program  between  inductive  assertions  and  output 
the  lemma: 

"assertion  at  start  point  &  path  condition  3  assertion  at  end 
point  with  appropriately  changed  values  of  variables". 

So  we  need  some  constituent  which  allows  us  to  store  the  asser¬ 
tion  of  the  start  point  and  successively  add  the  path  condition. 
This  leads  us  to  the  concept  of  an  assertion  constituent. 
Verification  conditions.  Whenever  a  verification  condition  is 
generated  we  want  to  store  it  in  some  constituent  which  finally 
will  be  the  output  of  the  whole  process. 

Thus  the  translation  of  a  statement  into  the  verfication  model  if 
of  the  following  form: 

X  4>  t  a  v,  o,  ...  a„  9  i,...^:  ♦,t'  a,v1,a1' 


program 

remainder 


y  i  u  V-  u,  •••  v  u  w  J-«1  •  y 

I  I  1  11  /  ry  n  |  1  1  m 

:aml  asser\  '^4^/  output  \  ^ 

V  inputs 


'  Vr,  '  '  O  ' 

n  n 


y 


verification 
conditions 


program 

variables 


new  values  to  reflect  the 
effect  of  the  statement 


Following  are  some  definitions  and  abbreviations  that  will 
be  used  later: 

I  =  Xx:x  (Identity,  null  list  or  triple) 


ft  =  (Xxy  :xx)  (Xxy  :xx)  (Undefined  value) 


<al'*  •  •  ”  Xx: 

xa^ . . .  an  /  n  >f 

‘  (list  or  triple) 

S11  5  Xx:xl 

(Note : 

sll<a> 

S21  5  Xx:x(Xxy:x) 

(Note  s 

s21<a;b>  -  a) 

s22  5  Xx:x(Xxy:y) 

(Note : 

s22<a,b>  -*■  b) 

a;b  =  Xx:axb 

(Note : 

<a^, . . .  ,an>  ;b  <a^,..., 

push  =  Xxy : <x,y> 

(Note : 

push  ab  -*■  <a,b>  +•  a;b 

push  <a^/.../an>b  -*■  <a1, 

gO£  S  S22 

(Note : 

pop  <alf . . .  ,an,b>  -*■  b) 

add  =  Xxy:push((s 

2ly)  &x)  (s22y) 

(Note : 

add  a<b,c>  -►  <b&a,c>) 

ch  =  Xx:push(s^1(s^^x)  )  (push(s 

'21*0  (s22  (s22x) ) ) 

(Note : 

ch<a,<b,c>>  <b ,<a,c») 

comb  =  Xx:push((s 

21x)  v(s21(s22 

|X)  )  )  (s 22  (s22x)  ) 

(Note : 

comb<a,<b,c>>  <avb,c>) 

Translation  Rules 
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Using  the  notation  of  [1]  (to  which  the  reader  is  referred 

for  motivation  and  explanation) ,  we  now  list  the  translation  rules 

of  the  verification  model.  These  rules  have  the  form 

{S}E  2  the  lambda-expression  representing  statement  S 

in  environment  E. 

Assignment  statement 

(v.  :=e),,  „  .  (e  is  an  expression) 

i  ^v1,...,vnJ 

1  A+taVj.aj..  •  •  Vn!'’Tl'  •  •  vi-1°i-l{e>0i-  •  •  vn“n 

Input-Output  statement 

{read  v.},  . 

-  r  iv1,...,vn; 

2  X<|>Tav1a1. . .  vnanox:<DTav1o1.  .  •  vi-i0i-iXoivi+iai+r  •  -V^o 


{write  e} 


(v.  , .  •  •  ,  v  ) 


1  ’ . n' 

=  X<()Tav1a1. . .  vnano:<j)Tav1a1. .  *  vnan°>  {e} 

Compound  statement 

(begin  S1,S2l...»Sn  23S>  ^ , . . . ,  vn) 

=  X<J> :  {S1}({S2H...({Sn}*)...)) 

Blocks 


{begin  <type>u1 ; . . .  <type>ujn;S1  ;S2 ; 

=  X<))Ta:{S1}F({S2>F(,  . .(  {Sp}F(Xxau1au 


,se  SM)(Vl...vn, 

...u  a  :<))Ta) )...))  xaQIfil. .  .ftl 

i  m  u  \  ..  j 

l  m 


m  times 

where  F  =  (u^,. . . »um*v]y • • »vm)  =  the  environment  extended 
by  the  newly  declared  variables  of  the  block. 

Since  in  the  verification  model  the  current  assertion  a  and  the 
list  of  verification  conditions  x  precede  the  representation  of 
the  variables,  we  have  to  include  a  and  x  in  the  specification  of 
a  block. 

For  every  new  variable,  which  is  introduced  by  the  block, 
we  need  a  stack.  This  stack  is  initially  empty  (I)  and  has  to 
be  deleted  at  the  end  of  the  block  together  with  the  variable. 
Conditional  Statements 


{if  b  then  S.  else  S0L  „  » 

—  — i  2  C  vx ,  •  • . ,  vn ; 
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=  X<ji:as  ({S1>  (£u({S2>  (sc  <j>) ) ) ) . 

Subsidiary  definitions: 

as  =  X(j>Tav1a1. . .  vnan:ij)T  (gush  (s2^o  &  b)  (add(~b)  a) 
v1(gush  v1c1) . .  .vn(£ush  vnan) 

This  takes  the  first  part  of  the  assertion  (which  represents  the 

valid  assertion  at  the  point  of  the  condition  statement)  s21a  and 

creates  two  versions  of  it,  which  in  addition  to  s2^a  also 

assume  b  or  ~b ,  respectively.  Furthermore,  the  current  values  of 

the  variables  are  pushed  onto  their  stacks.  This  is  necessary, 

because  now  we  want  to  perform  the  statement  {S1>,  which  might 

change  the  values  of  the  variables.  But  we  need  these  values 

for  the  execution  of  {S2)  later  on. 

su  =  X^TOtv.a.. . . .  va  s  4>t  (ch  (add(v,=v,  &  ...  &  v  =  via)) 

—  11  n  n  —  -  11  n  n 

(s21al)  (pop  al*  **•  *s2lan*  (pop  an) 

This  saves  the  results  of  the  execution  of  {S^}  by  adding  them 
to  the  current  assumption.  Now  we  are  ready  to  switch  the  first 
two  branches  of  the  "  assumption  tree" ,  which  causes  the  version 
containing  "b  to  become  the  current  assumption.  For  the  following 
execution  of  {S2}  we  delete  the  action  of  {S^}  on  the  variables 
and  restore  their  old  values,  which  is  achieved  by  unstacking  them. 
sc  =  X<j>Tav1c^.  ..vnan:<iiT  (comb  (add  (v-^=v1  &  ...  &  vn*vn)  a)) 

Vl-Vn 

This  finally  saves  the  results  of  the  execution  of  {S2>  by  adding 
them  to  the  current  assumption.  Afterwards  the  assumptions  for 
the  then  and  else  clauses  are  combined  to  a  single  one  by  disjunction. 
Since  the  results  of  both  {S1>  and  {S2>  are  now  saved  in  the  current 
assertion  and  are  denoted  by  v^,  we  make  v^  the  new  value  of  v^. 

Note:  The  second  form  of  IF-statement 

(if  b  then  S}(Vi . „n, 

is  translated  into 

X<J»:as  ( {S ^ >  (su(I  (sc  <J>) ) ) ) 
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Assert  statements 


{assert  a(vlf. . . ,vn,o)  } 

=  XijiTav^a^. . .  v^ono' :  <j)t;  (s21ot  ^a1 )  (sub  a  o) 


v, a, . . .vna  o 
11  n  n 


where 


a'  =  a(v^...,v^o’) 
sub  =  Xxy :push  x  (s^y ) 

The  lemma:  "current  assertion  =>  a  with  the  variables  replaced 
by  their  current  values"  is  added  to  the  verification  conditions. 
Afterwards  the  current  assumption  is  replaced  by  the  assumption 
a  and  we  delete  the  former  values  of  the  variables. 

Main tain-while  statement 

{maintain  a  while  b  do  S} 

=  X(jiTav1(T1...v  o  :ast  (ad.  ({S>  fast  (ad„d>) )  ) )  Tav.o, . . .  v  a, 

where 

ast  =  X^xav^a^. . .  v^ano'  :<|>T  ;  (s^uDa' )  (sub  a  a) 

v. a. . . .  v  a  o 
11  n  n 

is  a  representation  of  the  statement 
assert  a, 

ad.  =  X<t>tav.  ct.  . . .  va  :  <|>t  (add  b  a)  v.a....va 
adds  the  predicate  b  to  the  current  assumption. 

Now  the  statement  {S}  is  performed  and  afterwards  "ast"  checks 
whether  the  predicate  a  has  been  maintained.  This  procedure  sets 
up  the  necessary  verification  conditions  for  the  maintain-while 
statement.  What  remains  to  te  done  is  to  add  ~b  to  the  current 
assumption  and  examine  the  program  remainder: 

ad2  =  XtftxctVj^. .  «vngn;(frT  (add(~b)  a)  •  •  vnan* 


Examples  of  Translations  from  PL  into  the  Lambda- cal cuius 

We  now  present  some  examples  of  translations  of  programs 
obtained  by  using  the  rules  presented  above.  The  program  statements 
have  been  tagged  with  identifiers  used  as  the  names  of  the  cor¬ 
responding  lambda-expressions.  In  writing  lambda-expressions, 
certain  notational  liberties  have  been  taken  in  order  to  make 
them  human-readable?  the  intended  correct  form  must  be  obvious  in 
these  cases.  Thus,  expressions  have  been  written  in  the  usual 
infix  notation,  rather  than  the  proper  postfix  lambda-expressions. 
For  example, 

[gcd(n,m)  =*  gcd(x,y)  &  x>0  &  y>0] 
has  been  used  as  a  shorthand  for 

(&(&  (=  (gcd  n  m)f  gcd  x  y) )  (>_  x  0) )  (>_  y  0) )  . 

The  result  of  reductions  given  at  the  end  of  each  example  has 
been  obtained  by  means  of  a  computer  program  [2]  which  reduces 
lambda-expressions  to  their  simplest  (normal)  forms.  The  actual 
computer  print-out  is  included  with  one  example. 

Example  1.  Summation  of  a  given  number  of  consecutive  integers. 
Input  condition:  n>0  (n  is  input) 

Output  condition:  output  *  n 


begin  integer  m,s;  . . p 

read  m;  (*The  value  n  is  assigned  to  variable  m*) . re 

s:=0;  . . . . al 

begin  integer  j?  . bil 

j:=l;  . a2 

maintain  . . . 

s=(j-l)*j/2  and  m=n  and  j<m+l. . . ast 

while  j<m  do  . adl,ad2 

begin  . bH2 

s:=s+j;  . . a3 

j:=j+l  . a4 

end 

end; 


write  s?  (*  s  is  appended  to  the  (currently  empty)  output* »wr 
file  o.  Thus,  s^1o»s  *) 


assert  s^o  =  m*(m+l)/2  . ter 

end 

Final  Result . . . res 


Translations 

re  =  Xd>xa  mo  so  oi.  :  <j>xai, a  sa  o 
in  s  1  1  in  s 

al  =  X<j>xa  ma_sa  : <|>Tama  Oa 
ms  ms 

a2  =  X<j>xctj  :  <j>xal 

ast  h  X<j>xaj 1  o  .m'o  s '  a  :  <j>  (x ;  (s01 013  [s  '=  ( j  '-1)  *j  '/2  &  m^n'  &  j'^m+l])) 

(sub  [s=(j-l)*j/2  &  m=n  &  j<nH-l]ct)  jo. mo  sa 
r  j  in  s 

adl  =  X(j>xa: 4»x (add  tj£m]a) 

ad2  =  X4)xa:4>T  (add  tj>m]a) 

a3  =  Xc()xaja.ma  sa  s<j>xaja.ma  [s+j]a„ 
jms  Jjm  s 

a4  =  Xcjixajo  j  :<()xa[  j+l]Oj 

b*2  =  X(J>:a3  (a4  <j>) 

mw  =  X 4> : as t  ( adl  (bl2  ( ad2  <*>)))) 

bJLl  =  X(|)xa:a2  (mw(Xxajo  j  :<j»xa) )  xafil 

wr  =  XAxamo  so  o:<t>xama  so  (o;s) 
ms  ms 

ter  =  X^xarn'o^'a^' :<j)(x;  (s21a3Is11o'=m' *(m'+l)/2]) ) 

(sub  [s11o=m*(m+l)/2]a)  momsoso 
p  =  X(J>xa:re  (al  (bill  (wr  (ter  (Xxamamsag  :  <j>xot) ))))  xafilftl 
res  =  p(Xxao:x)  I  <;n>0,I>  In 

By  lambda-calculus  reduction,  we  obtain: 
res  -*■  <  [n>0  3  0=0  &  n=n  &  l£n+l]  ,  [s=~jj— ^  &  S.=n  &  i£H+l  &  i^& 

3  s+i  =  &  SL-n  &  i+l=il+lj ,  &  Jl=n 

&  i^S,+l  &  i>  2,  s=Z  3> 

Thus,  res  is  a  list  containing  the  three  required  verification 
conditions.  It  is  easily  seen  that  each  of  these  conditions  is 
true.  So  the  program  is  partially  correct  with  respect  to  the 
specified  input  and  output  conditions. 
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Example  2.  Square- root  program. 

Input  condition:  n>0  (n  is  input) 

2 

Output  condition:  output  =  max  k  >n 

k>0 


begin  integer  x.y^y 2,y3?  . p 

begin  . aa 

read  x?  (*  The  value  n  is  assigned  to  variable  x  *)...re 

(yl'y2,y3)  :=(0,0fl)  '  . al 

y2**®y2+y  3  . a2 

end? 

maintain  ntw 

2  2 

x=n  and  y^n  and  y2=(y1+l)  and  y3=2*y1+l . ast 

while  y2<x  do  adl,ad2 

Cy1/y2/y3)  s=Cy1+l,y2+y3+2,y3+2) ; . bb 

write  yx?  . . 

(*  y1  is  appended  to  the  (currently  empty)  file  o.  Thus, 

su°-*i  *» 

assert  (s^o)  *<n  and  n<  ( (s^oj+l)  £ . ter 

end 

Final  Result . res 


Translations 

re  i  H^^xyi^iy2<’y2y30y3olr»TC‘llVlayiy2!,y2y3',y3 
al  =  l,Taxoxyleyiy2ey  yjOy^Taxo^Oo^Oa^le^ 

a2  i  ^^^^yiy2oy2y3oy3  =  +taxaxy1eyi[y;,+y3]ey2y3ay3 
aa  =  A<J>:re(al(a2  <j>)) 

ast  =  X^Tax'o^^Oy  y’ay  y^ay  :Mt;  (s21ao[x'=n  &  y£2<n 

12  3 

&  y^»(yi+D2  &  y^»2*yj+i])) 

(sub  Ix-n  &  y2<n  &  y2»(y1+l)2  &  y3»2*y1+l] a) xa^^y  y2ay  y3ay 

12  3 

adl  =  X$Ta:<frT  (add  ly2^x]a) 
ad2  =  A$xa:$T(add  Iy2>x]ct) 

bb  5  X+TMO^jO^yjO^yjOy^Tax^Cy^llo^lyj+y^le^lyj+lIc.^ 
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nw  =  X$:ast (adl (bb(ast (ad2  4>) ) ) ) 

wr  =  l*™™y?1°YY2°y*3°i3°1*''maJl°y1*2ay*2°v3<°IYi) 

ter  =  AttTax'a^yJo  y^Oy  o' s*  (t;  (s21a  =>t  (SyyO1  )2^n  i  n<  ( (Sj^o'  )+l?] )  ) 

(sub  ((suo)<<n  &  n<  ( (s11o)+l)  ]  a)  y2ay  y3ay  ° 

12  3 

p  =  X(j>Ta:aa(nw(wr(ter  (Xtaxcxy1ay  y2ay  y3ay  s  $Ta) ) ) )  Tafllfllfllfll 

12  3 

res  2  pCXt«o:t)  I  <n>0,  I>  In 


By  lambda-calculus  reduction/  we  obtain: 
res  +  <[n>0  3  0  <n  &  1=1  &  1=1  &  n=n] , 

[y2fn  &  y2=(y1+l)2  &  y3=2y1+l  &  x=n  &  y2<x 

^(y^l)2^  &  y2+y3+2=  (y^l+1)2  &  y3+2=2  (y^D+l  &  x=n] , 

Ly\<n  &  y2=(y1+l)2  &  y3=2y1+l  &  x=n  &  y2>x 
&  n<(y1+l)2]> 

Thus,  res  is  a  list  containing  the  three  required  verification 
conditions.  It  is  easily  seen  that  each  of  these  conditions  is 
true.  So  the  program  is  partially  correct  with  respect  to  the 
specified  input  and  output  conditions. 


Example  3.  GCO  calculation. 

Input  condition:  n>0  &  m>0  (m,n  are  inputs). 
Output  condition:  output  =  gcd(n,m) 


begin  integer  x,y;  . h 

read  x,y;  (*  Input  values  n,m  assigned  to  x,y  *) . ....a 

maintain 

gcd(n,m)*gcd(x,y)  &  x>0  &  y>_0 . . ast 

while  x^y  do  . . adl , ad2 

if  x>y  then  as,sc,d,e 

x:*x-y  . ..b 

else  . . . su 

y  :=y-x;  . . . . . c 

write  x;  . . f 


(*  Value  of  x  appended  to  (currently  empty)  output 
file  o.  Thus  s^o-x  *) 


end 


assert  gcd(n/m)=s11o 
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Final  Result . res 


Translations 

a  s  X<J>toi  xaxyayoi1i2:4»tai1CTxi2ayo 

ast  =  X^Tax'a^'Oy  :<J>(t;  (s21a  3lgcd(n,m)=gcd  (x'  ,y' )  &  x'>0  &  y'>0])) 
(sub  [gcdCn/mJ^gcdCxjy)  &  x>0  &  y>0]  aJxCT^a^ 
adl  =  X <j>iaxa^a„  :4>t  (add  [x^y]  a)  xcr^ycr.. 
ad2  i  X4>Taxa3eyg„  ;<j)T  Caddlx=y1  a)xa;;ya„ 

as  =  X^taxo^ay : (j)T  (£ushCs21a  &  [x>y] )  Cadd Ix<y]  a) ) x (push  xax)y(push  ya„) 

b  =  \<praxa^ay  :<J>Ta  [x-yla^Cy 

su  =  XfrTctxq^yq ; 4>rch (addlx=x  &  y*=y]ot)  Cs21q:JCpop  o^}  Cs^Oy)  (pop  oy) 
c  =  X^Taxa^Oy  :<J>Taxax[y-x]ay 

sc  =  X(|)Totxg3cya„;({)Tcoinb  (addjx^x  &  y=y]  a)  xa^cTy 
d  =  X<J>  :as  (b  (su(c  (sc  <}>)))) 
e  =  X<J>  :ast  (adl  (d(ast  Cad2  $1})) 
f  =  X^Taxa^CTyOr^xaxa^CTy  Co;x) 

g  =  X^Tax'c^'ayO*  :4>Ct;  Cs21a  slgcdCn^ml^Sj^j^o’]  )  1 
(sub  [gcd  (n  ,m)  =s  11o]  a )  xa^CyO 
h  =  X<j)Ta:a(e(f  (gCXxa  : ijita)  ) ) )  Tamm 

res  =  h  (Xxoto  :t)  I<  [n>0  &  m>oj  ,  I>  I  n  m 


By  lambda-calculus  reduction,  we  obtain 
res  -*■  <  [n>0  &  m>0  3  gcd(n,m)=gcd(n,m)  &  n>0  &  m>0] , 

[gcd(n,m)«gcd(x,y)  &  x>0  &  y>0  &  x/y  &  x<y  &  x=x  &  y=y-x 
or  gcd(n,m)=gcd(x,y)  &  x>0  &  y>0  &  x/y  &  x>y  &  x=x-y  &  y=y 
3  gcd(n,m)=gcd(x,y)  &  x>_0  &  y>0] , 

[gcd(n,m)=gcd(x,y)  &  x>0  &  y>0  &  x=y  ZD  gcd Cn ,m)  =xl  > 

Thus,  res  is  a  list  containing  the  required  verification  conditions.  As 
each  verification  condition  is  true,  the  program  is  partially 
correct  with  respect  to  the  specified  input  and  output  conditions. 


Translations  of  individual  statements  into  the  lambda- calculus 
(Note:  L  stands  for  X  on  computer  input.) 


1  ■  <L  PHI  (L  T  AU  ( L  AL  (L  VX(L  SX(L  VI  (L  SI  (L  01(1*  II  (L  12 
(PHI  TAU  AL  II  SX  12  SI  01))))))))))). 

•  % 

AST  =  (L  PHI  (L  TAO(L  AL  (L  VXP(L  SX  (L  VYP(L  SI  (PHI  (PSfi  TAD 

(  (S2 1  AL)  IHP  (fcCU  (GCD  N  ft)  (GCD  VXP  VYP)  AND  (GE  VXP  0) 

AND  (GE  VYP  0)))) 

(SUE  (ECO  (GCD  N  ft)  (GCD  VX  VY)  AND  (GE  VX  C)  AND 
(GE  VY  C))  AL)  VX  SX  VY  SY)))))))). 

ADI  =(L  PHI  (L  TAD  (L  AL  (L  VX  (L  SX  (L  VY  (L  SI  (PHI  TAO  (ADD 
(NE  VX  VY)  AL)  VX  SX  VY  SY)  ))))))). 

AD2  -  (L  PHI  (L  TAU  (L  AL  (L  VX(L  SX  (L  VY  (L  SY  (PHI  TAU  (ADD 
(EQU  VX  VY)  AL)  VX  SX  VY  SI)))))))). 

AS  *  (L  PHI  (L  TAU(L  AL  (L  VX  (L  SX(I  VY(L  SY(PHI  TAU  (PSH 

(  (S21  AL)  AND  (GT  VX  VI))  (ACE  (LE  VX  VY)  AL)  )  VX 

(PSH  VX  SX)  VY  (PSH  VY  SI))))))))). 

BB  =  (L  PHI  (L  TAO(L  AL  (L  VX  (L  SX  (I  VY  (L  SY  (PHI  TAU  AL 
(-  VX  VY)  SX  VY  SY  )))))))). 

SO  =  (L  PHI (L  TAU (L  AL ( L  VX(L  SX (L  VI(L  SY  (PHI  TAD  (CH 
(  ADD  ((EQU  VXB  VX)  AND  (EQU  VYB  VY)  )  AL)  )  (S21  SX) 

(S22  SX)  (S21  SY)  (S22  SY)))))))))  . 

CC  =  (L  PHI (L  TAU(L  AL  (L  VX(L  SX  (L  VY(L  SY  (PHI  TAU  AL 
VX  SX  (-VY  VX)  SI)))})))). 

SC  *  (L  PHI  (L  TAO  (L  AL  (L  VX(L  SX(L  VI  (L  SY  (PHI  TAU  (COB 
(ADD  (  (EQO  VXB  VX)  AND  (EQD  VYB  VY))  AL)) 

VXB  SX  VIB  SY) )))))) )  . 

D  =  (L  PHI  (AS  (BB  (SO  (CC  (SC  PHI)))})). 

E  =  (L  PHI  (AST(AD1  (D  (AST  (AD2  PHI)))))). 

F  =  (L  PHI  (L  TAU  (L  AL  (L  VX(L  SX  (L  VY  (L  SY  (L  01  (Phi  TAD  AL 

VX  SX  VY  SY  (PSH  01  V X) )))))))))  . 

G  «  (L  PHI (L  TAU  (L  AL  (L  VXP(L  SX (L  VYP(L  SY  (L  OP  (PHI 
(PSH  TAU  (  (S  2 1  AL)  IMP  (EQU  (GCD  N  ft)  ( S 1 1  OP)))) 

(SUB  (EQO  (GCD  N  £1)  (S11  01))  AL)  VX  SX  VY  SY  Cl))))))))). 

H  *  (L  PHI  (L  TAU  (L  AL  ((A  (E  (F  (G  (L  TAO  (L  AL  (L  VX  (L  SX  (L  VY 

(L  SY  (PHI  TAU  AL)  )))))))))  )  TAU  AL  CB  I  CM  I) )  )  )  . 

HES  *H(L  TA  U  (L  AL  (L  OUT  TAU)  )  )' I  ( PSH  (GE  N  0  AND  GE  E  0)1)1  N  h . 


Definition  of  auxiliaxy  objects 
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PSH  =  (L  A  (L  B  (L  X  (X  A  B)  )  )  )  . 

SEC  * (L  X  (L  Y  Y) )  . 

Sli  =T  i.  (Alternative  definition —  T  =  ;yx  is  a  primitive) 

521  =T  K. 

522  =T  SEC. 

SUB  =(L  VX  (L  VY  (PSH  VX  (S22  VY)))J. 

ADD  ={L  VZ  (L  X  (PSH  ((S21  X)  AND  VZ)  (S22  X)))). 

CH  *  (L  VZ  (PSH  (S21  (S22  VZ) )  (PSB  (S21  VZ)  (S22  (S22  VZ))))). 

COK  =(L  VZ  ((PSH  (OB  (S21  VZ)  (S21  (S22  VZ)  )  )  )  (S22  (S22  VZ)))). 

Now  RES  should  reduce  to  a  list  of  three  verification  conditions. 
Due  to  the  definition  of  lists,  RES  has  the  form  <<<P>,Q>*R>. 

The  components  sure  extracted  below  in  the  order  R,  Q,  and  P. 


S22  (S2 1  (S21  RES)). 

INPUT  OBJECT  IS... 

:  S22  (S2 1  ( S 2 1  RES)) 

REDUCED  OBJECT  IS... 

GE  N  0  AND  GE  H  0 

IHP  (EQU  (GCD  N  K)  (GCD  N  K)  AND  (GE  N  0)  ANC  (GE  fi  0)  ) 


S22  (S2  1  RES)  . 

INPUT  OBJECT  IS... 

:  S22  (  S2  1  RES) 

HEDUCEC  OEJECT  IS... 

OR  (EQU  (GCD  N  IJ)  (GCD  VX  VY)  AND  (GE  VX  0) 

ANC  (GE  VY  0)  ANC  (NE  VX  VY)  AND  (LE  VX  VY) 

AND  (EQU  VXB  VX  AND  (EQU  V YB  (-VX  VX)))) 

(EQU  (GCD  N  K)  (GCD  VX  VY)  AND  (GE  VX  0) 

AND  (GE  VY  0)  AND  (Nc  VX  VY)  AND  (GT  VX  VY) 

ANC  (EQU  V X E  (“  VX  VY)  ANC  (EQU  VYB  VY)  )  ) 

IBP  (EQU  (GCD  N  C)  (GCD  VXB  VYB)  AND  (GE  VXE  0) 
ANC (GE  VIE  0)) 


S22  B£S. 

INPUT  OBJECT  IS... 
:  S22  blS 


BEDUCED  OBJECT  IS... 

EQU  (GCO  N  K)  (GCD  VX  VY)  AND  (GE  VX  0)  AND  (G£  VY  0) 
AND  (EuD  VX  VY) 

IBP  (EQU  (GCD  N  H)  VX) 
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The  Correctness  of  Verification  Model 

We  would  now  like  to  prove  that  the  verification  model  pre¬ 
sented  above  is  correct.  In  other  words ,  we  would  like  to  show 
that  the  translation  of  a  PL  program  according  to  the  above-given 
rules  indeed  reduces  to  a  list  containing  the  lambda-calculus 
representation  of  all  verification  conditions.  We  begin  with 
some  definitions: 

A  path  a  in  a  PL  program  is  said  to  be  basic  if  it 
—starts  with  an  "assert"  or  "maintain"  or  starts  at  the  beginning 
of  the  program, 

— ends  with  an  "assert"  or  "maintain",  and 
— does  not  contain  any  other  "assert"  or  "maintain". 

The  verification  condition  for  a  basic  path  a  with  starting 
assertion  q,  terminating  assertion  p  and  path  condition  y  (the 
condition  under  which  y  is  traversed)  is 
q  &  Y  =>  Pi 

where  the  variables  in  q  are  replaced  by  the  result  of  performing  a. 

The  verification  condition  list  for  a  PL-program  is  a  list  of 
verification  conditions  of  all  its  basic  paths. 

The  predicate  after  an  "assert"  or  "maintain"  is  referred  to  as 
an  assertion. 

With  these  definitions  the  following  theorem  holds. 

Theorem:  If  the  assert  (and  maintain)  statements  in  a  PL-program 
P  contain  only  program  variables,  symbols  i^,...,in  for  the  input, 
the  symbol  o  for  the  output  and  constants,  and  {prog}  is  a  translation 
of  P  into  the  verification  model,  and  otg  is  the  input  assertion, 
then 

{prog}  (Axcto:x)  I  <aQ,I>  I  i^,...,in 
generates  the  verification  condition  list  for  P. 

Proof : 

(\xao:x)  as  the  final  program  remainder  deletes  all  the  information 
but  x,  the  verification  condition  list. 

(*) 

We  show  that  for  all  basic  paths  leading  from  assertions  q^,...rq^ 
via  path  conditions  to  the  assertion  p  in  a  PL-program, 

(*)  Some  of  the  q^'s  may  be  equal. 
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the  corresponding  translation  into  the  verification  model  generates 
the  verification  conditions 

qx  &  Yx  =>  P(x) 

and 


and 

qk  f.  Yk  ->  P(*> 

and  adds  them  to  t,  the  list  of  verification  conditions,  x 
denotes  the  values  of  the  variables  immediately  before  the 
assertion,  possibly  also  containing  the  value  of  the  output  var¬ 
iable  o. 

Proof  by  structural  induction: 
basis : 

q  and  p  follow  each  other  immediately,  after  execution  of  assert  q, 
a1  is  q. 

The  path  cond.  y  =  T. 

The  variables  hold  xir...,xn. 
assert  p  generates  the  lemma 

s21a=>  Plx=x 

which  is  true. 
induction  step? 

(a)  Suppose  the  hypothesis  holds  for  arbitrary  p,q1,...,qk  in  a 
PL-program.  Now  consider  a  PL-program  where 
x.s-e(x1,...,xn); 
assert  r 

is  substituted  for 
assert  p. 

Let  a  denote  the  stack  of  assertions  before  the  execution  of  the 
assignment,  which  is  the  same  as  the  one  in  the  original  program 
before  assert  p. 

Let  x  be  the  variable  values  before  the  assignment. 

If  we  now  let  p(x)  =  r (x^, . . . ,xi-1 ,e (xx , . . . ,xR) ,xi+1, . . . ,xn) 

we  know  from  the  hypothesis 

s_ .  a  * >  d  I  — 

21  ^'x»x 

is  equivalent  to 


j=l r  •  •  •  r 


k 

and  furthermore  to 

.A  ^qj  &  Yr  ->  x=  (3^,. . .  ,e  (xx,. . .  ,xn) .  .xn) ) 

/ • • • /k 

(b)  Suppose  the  hypothesis  holds  for  arbitrary  p/q^,...,qjc  in  a 
PL-program.  Now  consider  a  program  where 
begin  <type>  u^, . . . ,<type>  um? 
assert  r  (u^ f  •  •  *  * •  •  •  / ) 
is  substituted  for 
assert  p. 

Let  a  denote  the  stack  of  assertions  before  the  execution  of  the 
assignment,  which  is  the  same  as  the  one  in  the  original  program 
before  assert  p. 

Let  x  be  the  variable  values  before  the  begin. 

If  we  now  let 

P (x)  =  r (ft, . . . ,nfx. . . ,x„) 

«■  ,  -  '  i  n 

m 

we  know  from  the  hypothesis 
s2ia 

is  equivalent  to 

A  <«j  s  =>  Plx-X1 

j=l , • • • fk 

and  furthermore  to 

A  (qj  *  ifj  ->  rlu-ai),x=x) 

j=l , • • • /k 

Cc)  Suppose  the  hypothesis  holds  for  arbitrary  p,q1/...,qJc  in  a 
PL-program.  Now  consider  the  program  where 
end?  ( <type  >u^ <type  >um) 
assert  r(x1,...,xn) 
is  substituted  for 
assert  p. 

Let  a. . .  stack  of  assertions  before  end 
x,  u. . .  variable  values  before  end. 

(1)  u^  did  not  overwrite  some  global  variable  x...  Then  if  we  let 

P(“1'***»VX1».’*'V  :»r(Xl,...,xn) 
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we  knew  from  the  hypothesis: 

s21a  =>  P  ^  u*u,x=x 
is  equivalent  to 

A  lV  *J  “>  plx-x> 

j“l r • • • f k 
and  futhermore  to 

y\  C<3j  &  Yj  a*>  rlx*3c^ 
j“l/ • • • /k 


(2)  If  however  overwrote  the  global  variable  Xj  ,  we  could 
change  the  name  of  u^,  so  that  this  phenomenon  does  not  occur 
and  we  get 

A  fcj  *  Yj  ->  *1*.*) 

j^l,.. . ,k 

(d)  Suppose  the  hypothesis  holds  for  arbitrary  P/q^f...»qk  in  a 
PL-program.  Now  consider  the  program  where 
if  b(xir...,xn)  then 
assert  r 

is  substituted  for 

assert  p (x^ , , , . ,xn) . 

Let  a. . .  stack  of  assertions  before  if 
x. . .  variable  values  before  if 
The  execution  of  the  ijE  changes 

a  «  <a1,...>  to  <a1&  bCxJ^a.^  &  ~b(x),...» 
and  leaves  x  unchanged. 

If  we  let 

p  (x)  *  (b  (x)  *>  r  (x) ) 
then  we  know  from  the  hypothesis  that 

s21a  ->  pt** 

generates  the  correct  verification  conditions 

/\  (qj  &  Yj  “>  P<*1). 

j*l# • • • 

So 

s21o  &  b(x)  *>  r(x) 
which  is  equivalent  to 


s2la  “>  tb(x)  ■>  r  (x) ). 


Also  generates 

/\  (qj  &  Yj  =>  P(x)) 


(q j  &  Yj  &  b  (x) 


j  1| « « • |k  j“l/ • « t  fk 

which  are  the  correct  verification  conditions  for  the  paths 
leading  to  assert  r  in  the  modified  program. 
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=  >  r(x) ) 


(e)  Suppose  the  hypothesis  holds  for  arbitrary  pfq^,...,q  in 
a  PL-program.  Now  consider  the  program  where 
if  b(x)  then 


else 

assert  r(x) 
is  substituted  for 
assert  p. 

Let  a...  stack  of  assertions  before  i_f,  x...  variable  values  before  if 
The  execution  of  if  changes 

a  =  <o^/...>  to  <a^  &  b(x} ,  <a^  &  ~btx),...>> 
and  puts  the  values  x  on  the  variable  stacks. 
else  causes 

<8^,0^  &  ~b(x),...>>  to  be  changed  to  <a1  &  ~b(x) 
and  the  variable  values  are  retrieved  from  the  stacks.  A  reasoning 
analogous  to  that  in  (d)  now  causes  s2]_ci  &  ~b(x)  =>  r(x)  to  be 
equivalent  to  the  correct  verification  conditions 
/\  Cqj  &  Yj  &  ~b  (x)  =>  r(x) ) . 
j =1 » •  •  •  fk 

(f)  Suppose  the  hypothesis  holds  for  arbitrary 

qy  •  •  *  q£#  pe,  q^,...,  q®  in  a  PL-program 


if  b  (x)  then 

begin 

• 

•  t 
assert  p  (x) 

end 

else 

begin 

• 

•  e 

assert  p  (x) 

end; 

f  0 

Now  consider  the  program  where  assert  p  ,  p  are  eliminated  and 
replaced  by  assert  r(x)  after  the  if- statement. 


if  b (x)  then 
begin 

fend 

else 

begin 


end; 

assert  r(x) 

Let  a...  stack  of  assertions  before  pt 
a'...  stack  of  assertions  before  pe 
a"...  stack  of  assertions  after  if-statement 
xfc. . .  variable  values  before  pfc 
x®...  variable  values  before  pe. 

From  the  induction  hypothesis  we  know 

s21a  “> 

is  equivalent  to 

A  (<3j  *  Yj  P*^)) 
j“l#. . . /k 
and 

S2la'  P6(Se) 
is  equivalent  to 

A  taj  *  y®  ->  pe(x*>>.. 

jml  t  *  •  .  fL 

a'  »  <s21a*  ,<s21a  &  3c»xt,...>> 

a"  »  <(s21a  &  yp'x')  v  (s21a'  &  x=x® ),...> 

the  variable  values  after  the  if-statement  are  x. 

Let  pt(x)  2  (x»x  ->  r  (x) ) 


So 


p  (x)  5  (x*x  ->  r (x) ) 


s21a"  ->  rCX) 


is  equivalent  to 


Cs21a  &  3t*xc  ■>  r(x))  &  (s,7a'  &  x=x  =>  r(x)) 
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or 


<«■> 


^s21a  *  <S910t'  *>  ?*(**)) 
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f\  (<3j  &  Yj  m>  rtx*))  &  f\  (q*  &  Y*  ->  r(: 
j“l»»«»»k  j“l» • • • ;L 

which  are  the  correct  verification  conditions. 


(g)  Because  of  (a)  -  (f)  we  know  that  for  all  PL-prograins  without 
while- loops  the  model  generates  the  verification  conditions. 

Now  suppose  there  are  k  basic  paths  from  leading  to 

maintain  p(x) 
while  b(x)  do 
S 

We  want  to  add  the  lemmas 

qj  &  Yj  => 

to  t ,  where  x  denotes  the  variable  values  immediately  before  the 
main tain -while  statement. 

We  know  by  induction  hypothesis  that  if  we  replace  this  maintain- 
while  statement  by 
assert  p(x) 

the  model  will  generate  these  verification  conditions  at  that 
point.  But  we  observe  that  the  first  step  in  the  translation  of 
the  maintain-while  statement  is  exactly  to  perform  this  assertion 
Thus  the  desired  effect  is  achieved. 

The  only  way  of  entering  the  statement  S  is  through  assuming  p (x) 
and  b(x)  (which  is  carried  out  in  the  second  step  of  the  trans¬ 
lation  of  maintain-while)  and  we  can  leave  it  only  by  asserting 
p(x)  again. 

That,  however,  is  exactly  the  way  of  processing 
assart  p(x)  &  b(x) 

S 

assert  p (x) 

in  the  verification  model. 

So  we  know  by  induction  hypothesis  that  for  all  the  basic  paths 
ending  in  S  or  leading  back  to  the  top  of  the  maintain-while 
statement,  the  correct  verification  conditions  are  added  to  t. 

Finally  we  want  to  start  a  new  basic  path  by  assuming  p(x)  &  b(x) 
and  that  is  exactly  what  happens  in  the  model. 
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